Something serious (...
 
Notifications
Clear all

Something serious (and something not)

19 Posts
10 Users
0 Likes
1,515 Views
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
Topic starter
 

I happened - while looking for completely unrelated reasons - to land on this page
http//www.adfsolutions.com/about/testimonials.php
where the good guys at ADF Solutions list some enthusiastic opinions coming from users of their triage software.

Among the many reports, I found two that puzzled me.

The first one (non-serious) is this one

"When we enter a terrorist suspect's home, we maximize our resources and take apart everything including the plumbing. We do the same for a local robbery suspect; I adapt my resources and level of investigation to fit the crime. Before now, we were not able to maximize our resources for forensic examinations. Adopting the ADF Solutions triage tools has provided us with this much-needed flexibility."
Forensic examiner, Leicestershire Police

I mean, a proprietor/landlord renting a flat in Leicestershire has some added risks, who is gonna re-make the plumbing? 😯

The second one is more serious

"We took possession of five computers from a suspect who had voluntarily submitted them for a forensic examination. The suspect had been unjustly accused of possession of child pornography but wanted to clear his name. We set up our SearchPaks and scanned all five machines. By 400 p.m. that day some four hours after the handover, I was able to inform the investigators that the machines were clean. This would have taken days using conventional methodology. The investigators were impressed, and the suspect was grateful that we quickly identified him as innocent. This is a good example where a negative can have a positive outcome and speedy resolution can prevent claims against law enforcement for undue delay in keeping the machines. I can see this taking off at a pace, when managers recognize its acceptable minimum risk and huge time-saving benefits. To use the old cliché, ‘We need to work smarter, not harder."

Forensic examiner, Durham Police

as it seems to me like implying that a triage tool is not anymore a triage tool but something that can be used to exclude definitely the possibility that something non-legit exists, i.e. a "full replacement" for a "full" digital forensics examination.

Thoughts, ideas, experiences?

jaclaz

 
Posted : 25/08/2013 10:07 pm
(@armresl)
Posts: 1011
Noble Member
 

5 computers in a portion of a day? Nah. There is so much work that goes into a CP case and places to look, software present, settings of the software, sharing/not sharing of folders, deleted items, Steg items.

No way I take in 5 computers, hook up triage and give an answer until I've made an image and ran through them really well.

I happened - while looking for completely unrelated reasons - to land on this page
http//www.adfsolutions.com/about/testimonials.php
where the good guys at ADF Solutions list some enthusiastic opinions coming from users of their triage software.

Among the many reports, I found two that puzzled me.

The first one (non-serious) is this one

"When we enter a terrorist suspect's home, we maximize our resources and take apart everything including the plumbing. We do the same for a local robbery suspect; I adapt my resources and level of investigation to fit the crime. Before now, we were not able to maximize our resources for forensic examinations. Adopting the ADF Solutions triage tools has provided us with this much-needed flexibility."
Forensic examiner, Leicestershire Police

I mean, a proprietor/landlord renting a flat in Leicestershire has some added risks, who is gonna re-make the plumbing? 😯

The second one is more serious

"We took possession of five computers from a suspect who had voluntarily submitted them for a forensic examination. The suspect had been unjustly accused of possession of child pornography but wanted to clear his name. We set up our SearchPaks and scanned all five machines. By 400 p.m. that day some four hours after the handover, I was able to inform the investigators that the machines were clean. This would have taken days using conventional methodology. The investigators were impressed, and the suspect was grateful that we quickly identified him as innocent. This is a good example where a negative can have a positive outcome and speedy resolution can prevent claims against law enforcement for undue delay in keeping the machines. I can see this taking off at a pace, when managers recognize its acceptable minimum risk and huge time-saving benefits. To use the old cliché, ‘We need to work smarter, not harder."

Forensic examiner, Durham Police

as it seems to me like implying that a triage tool is not anymore a triage tool but something that can be used to exclude definitely the possibility that something non-legit exists, i.e. a "full replacement" for a "full" digital forensics examination.

Thoughts, ideas, experiences?

jaclaz

 
Posted : 26/08/2013 8:25 am
(@mitch)
Posts: 135
Estimable Member
 

I can fully understand the reasoning with regard to a triage tool, and on the surface it seems a good idea. If your a LE agency and have 8 months backlog, its a godsend (in theory) but in practice it does not work, any company/organisation relying upon this, is treading on thin ice.

 
Posted : 26/08/2013 4:20 pm
pbobby
(@pbobby)
Posts: 239
Estimable Member
 

Don't get caught up in the specific examples, especially the 'clear my name' CP one. Triage in general has its place and can often be the only solution.

Here's my specific example large scale incident. The dropper/payload has been analyzed. You have OS specific indicators of compromise. 500 people received the same email - now go triage each computer. You wouldn't look at each computer with a deep-dive mentality, you would look at each computer from an indicator of compromise perspective.

Triage has its place. The wise investigator should know when or when not to use it.

 
Posted : 26/08/2013 5:54 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
Topic starter
 

Don't get caught up in the specific examples, especially the 'clear my name' CP one.

Well, then this thread makes no sense 😯 .

I am specifically and explicitly pointing to that one, as I find it (and all you guys are seemingly confirming my impression) a misuse of the tool (and - at least "philosophically" - a serious matter).

It seems to me like analyzing a supposed infected machine with a single antivirus, and only with it's the heuristical engine, disabling the latest definitions, and come out with the conclusion that the machine has not any virus.

Triage in general has its place and can often be the only solution.
Here's my specific example large scale incident. The dropper/payload has been analyzed. You have OS specific indicators of compromise. 500 people received the same email - now go triage each computer. You wouldn't look at each computer with a deep-dive mentality, you would look at each computer from an indicator of compromise perspective.

Triage has its place. The wise investigator should know when or when not to use it.

Sure ) , the point I was trying to make is that your example perfectly fits "intended usage", "theory of operation" and also "practical use" of a triage tool (and as such it represents "non news"), the posted "clear my name" one represents IMHO a (personally I believe inconsiderate) deviation from those.

jaclaz

 
Posted : 26/08/2013 7:00 pm
EricZimmerman
(@ericzimmerman)
Posts: 222
Estimable Member
 

triage works when done right and used responsibly. a lot of my work has been directed at improving triage techniques (i wrote and maintain osTriage).

triage works just fine for just about every type of case when used to move the ball forward as soon as taking in a computer or examining it while its running.

while it CAN be used in lieu of a full forensic exam in SOME cases, it is not a replacement for a digital examiner doing his thing against evidence (regardless of what tool used for this purpose)

i can, with accuracy percentages easily in the 90%s, triage a computer and know whether or not CP has been on there or not within a few seconds using triage against a running computer.

if i can get you 90% of what is relevant to your investigation in a few seconds/minutes (or hours tops), doesnt it make sense to triage? the point of triage is the intelligence and evidence that can be used in an initial interview more so than the notion of replacing/killing traditional digital forensics.

i know there are places in the US that do NOT need a full forensic review and officers can pursue charges as the result of triaging a computer. of course you should always follow up and do due diligence with a more in depth review to make sure there isnt any production, etc, but the days of spending weeks or months on each exam is not feasible or practical any more for a lot of investigations imo. of course there are exceptions to this rule.

changing gears to the specific vendor mentioned

ADF is nice and it does what it says it does, but the downside is that it costs you $$$ (1500??) to start and $$ (700??) a year and if you stop paying, it stops working.

mitch, i would love to hear your feedback on why you say triage doesnt work. maybe you need to try a better triage tool? =)

 
Posted : 26/08/2013 8:30 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
Topic starter
 

i can, with accuracy percentages easily in the 90%s, triage a computer and know whether or not CP has been on there or not within a few seconds using triage against a running computer.

if i can get you 90% of what is relevant to your investigation in a few seconds/minutes (or hours tops), doesnt it make sense to triage? the point of triage is the intelligence and evidence that can be used in an initial interview more so than the notion of replacing/killing traditional digital forensics.

There must be something wrong in the way I express myself.
From the kind of replies it seems like someone is attacking the concept of triage, and that this concept has to be defended.

Noone (at least not myself) is against triage (when used properly).

I posted to know your opinion on whether the specific use of triage for the specific case (clearing the name of suspect) is appropriate or not.

If something provides 90% on accuracy, or even 95%, I find hard - particularly for a such serious crime as CP - to pass the machines through a triage tool (good as it might be) and then affirm that there is NO CP on them, that corresponds flatly to 100% or certainty.

i know there are places in the US that do NOT need a full forensic review and officers can pursue charges as the result of triaging a computer.

Still in the specific case, Durham is seemingly in the UK, not in the US.

jaclaz

 
Posted : 26/08/2013 9:19 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

I was able to inform the investigators that the machines were clean.

When are we able to prove non-existence of something in digital forensics?

When does lack of digital evidence declare someone innocent?

Is someone "innocent", or "not guilty"?

 
Posted : 26/08/2013 9:30 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
Topic starter
 

Something "queer" has happened (irrelevant, but "queer"), the quote from the Leicestershire policeman has seemingly changed, now it is

"When I enter a terrorist suspect’s home, we maximize our resources and take apart everything including the plumbing. When I do the same for a local robbery suspect, I adapt my resources and level of investigation to fit the crime. Until now, we were not doing this for forensic examinations. Adopting the ADF Solutions triage tools has provided me with this much-needed flexibility."

Forensic examiner, Leicestershire Police

"When we enter a terrorist suspect's home, we maximize our resources and take apart everything including the plumbing. We do the same for a local robbery suspect; I adapt my resources and level of investigation to fit the crime. Before now, we were not able to maximize our resources for forensic examinations. Adopting the ADF Solutions triage tools has provided us with this much-needed flexibility."
Forensic examiner, Leicestershire Police

A Wayback Machine copy October 2012 is identical to the current one.

I may well - while pasting/re-formatting - have changed the "I" and "When I" with "we" by mistake, but surely I cannot have added the "able to maximize our resources" nor changed the "Before" to "until".

What the heck! ! ?

EDIT

Found it! D
I took the quote from this page
http//www.adfsolutions.com/about/
instead of th eone I provided the link to
http//www.adfsolutions.com/about/testimonials.php

The questions are now
Can it be that testimonials are edited/redacted/fabricated? 😯
Would TWO different Leicestershire Police Forensic examiners have such similar opinions and independently send them to ADF?

If this later hypothesis is confirmed, the plumbing stripping must really be common practice.

jaclaz

 
Posted : 26/08/2013 10:54 pm
(@ali-b)
Posts: 16
Active Member
 

I've found triage tools such as ADF useful for some jobs - especially when looking for something specific and not having access to a forensic workstation. There are downsides though, firstly you rely on the abilities of the suspects machine and after some testing found that when compared to the likes of Encase it is flawed in areas especially ability to search unallocated disk space.

I would be very wary of relying on it as the only tool used in an examination unless you know exactly what it is you should be looking for and have done some testing on how the triage tools perform.

 
Posted : 27/08/2013 1:15 am
Page 1 / 2
Share: